Managing risk when choosing digital platforms: The keys for nonprofits
INSIGHT ARTICLE |
From increasing the scope of online fundraising and email marketing efforts, to enhancing association and membership management, embracing digital platforms can bring several efficiencies to nonprofit organizations. However, many organizations lose sight of potential risks when implementing new platforms and suffer significant consequences. When evaluating digital platforms, you cannot only evaluate the benefits of solutions, but also potential vulnerabilities they may exploit or create.
Almost all organizations are seeking to implement modern digital tools and technology to seize opportunities and fundamentally change the way their mission is accomplished. In short, digital platforms can be used to spur innovation and unlock the true potential of your organization. Unfortunately, potential risks can be introduced that adversely affect your organization’s ability to achieve business and strategic objectives.
To effectively evaluate and manage risks, you must understand the cause of risks. Risks typically fall into five broad categories: external, people, processes, technology and relationships.
With connected platforms and systems, cyberthreats needs to be factored into your thought process. Cyberthreats can come from industrial spies, organized crime or hacktivists, and these sources can significantly disrupt your operations. Other external risks can originate with regulation and economic concerns, as well as natural disasters.
Your organization can take several actions to address external risks, including implementing a formal framework and governance strategy that considers these external factors. In addition, you can also develop additional preventative measures, including periodic security measures, leveraging competent security teams and user training.
Risks directly associated with employees and users are growing, mainly due to increased use of social media and networks. Improper or unsafe social media practices can lead to information leakage, information gathering from unauthorized outside sources and potential reputational attacks. In general, without proper controls in place, greater user acceptance of digital platforms leads to more risks.
To protect against growing vulnerabilities, your organization should implement social media policies and procedures and limit the use of personal online forums while on organizational computers and systems. Your key organizational information should be limited only to those that need access, and communication and contingency plans need be developed to respond to any issues.
Several process risks can emerge with the introduction of digital platforms, including the lack of alignment with organizational needs and processes. In addition, users can resist new digital platforms and processes resulting in underutilized systems, imperfect processes and unnecessary manual effort. After implementing digital platforms, many organizations realize they have a lack of in-house skills that align with the new technology, threatening productivity and security.
Your organization can take several steps to proactively address process risks, including establishing steering committees and capital planning initiatives to evaluate the costs and benefits and potential return on investment of potential digital platforms. Requirement specifications must be clearly defined along with a communication and change management plan, and users should be involved with project implementation to increase acceptance. In addition, building strong relationships between consultants and internal project teams can help provide an outline for developing necessary in-house skills.
Implementing new technology inherently exposes your organization to new risks, as more sensitive information is stored digitally and more business is conducted online rather than in person. You must pay attention to how systems are integrated to ensure no new vulnerabilities are created and connections are secure. Your users must also be comfortable with changes in connectivity, as accessing the network in an unsafe or insecure environment can expose key information.
Many technology risks can be addressed by implementing access controls and a security testing program. Firewalls, encryption, security logging or centralized logging and infrastructure redundancy are some ways to manage these risks. Your organization can also better leverage technology and limit risks by implementing a virtualization or Software as a Service (SaaS) platform that hosts information in a secure off-premises environment.
Third-party service providers that implement or manage digital platforms can also become a source of increased risk to your organization. The use of various external vendors is growing quickly, and you must maintain centralized operations and decision-making to effectively manage those relationships. If a vendor exposes your organization to risks, you typically retain responsibility and consequences including damage to your public image.
To proactively address third-party risks, your organization should communicate strategic clarity and constancy of purpose, and inform constituents of your commitments. An effective tone at the top must be set by leadership, to establish a centralized vision and defined process for business decisions. A third-party risk assessment during new product reviews can help uncover potential issues as well as evaluating Service Organization Control reports, which provide information on internal control effectiveness for potential vendors.
Security and privacy
An emerging risk area for nonprofit organizations is security and privacy vulnerabilities. While many organizations think they do not have valuable information, your technology systems likely include names, Social Security numbers, credit card numbers and other personally identifiable information (PII) for employees, volunteers, donors and members. This information is highly sought after by hackers and other criminals. Social media and phishing attacks often attempt to trick users to either click on a malicious link that can hijack credentials or submit sensitive information through a message that seems official, but isn’t.
Like other risks, a successful attack can damage your reputation, cause loss of donor and constituent trust, and endanger financial stability. However, several steps can significantly reduce your vulnerability, including initiating comprehensive security awareness campaigns, developing an incident response program, and implementing malware detection and avoidance software. Formal processes should also be designed to authorize access to client, donor and employee PII, and to initiate financial transactions.
When evaluating digital solutions, you should design a formal framework to assess their features and functionality, and at the same time assess their alignment with existing capabilities and technology, and determine if they could result in more risk exposure. Establishing this framework can mitigate risks and strengthen compliance, while also allowing you to gain new efficiencies, integrate employees more effectively, and increase accessibility and reliability of data.
Implementing digital platforms is a necessity for growth, but your organization cannot overlook the introduction of new risks. However, understanding and evaluating potential risks upfront will allow your organization to implement the strategies and controls needed to effectively introduce and use new digital systems.